8260984 2002-04-08 10:39 -0700 /130 rader/ Steve Gustin <stegus1@yahoo.com> Sänt av: joel@lysator.liu.se Importerad: 2002-04-09 01:28 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <21772> Ärende: multiple CGIscript.net scripts - Remote Code Execution ------------------------------------------------------------ From: Steve Gustin <stegus1@yahoo.com> To: bugtraq@securityfocus.com Message-ID: <20020408173953.41082.qmail@web13401.mail.yahoo.com> multiple CGIscript.net scripts - Remote Code Execution --------------------------------------------------------------------- Name : multiple CGIscript.net scripts - Remote Code Execution Date : April 8, 2002 Product : csGuestbook csLiveSupport csNewsPro csChatRBox Vuln Type : Access Validation Error Severity : HIGH RISK Vendor : WWW.CGIscript.NET, LLC. Homepage : http://www.cgiscript.net/ DISCUSSION: --------------------------------------------------------------------- CGIScript.net distributes a number of free and commercial perl cgi scripts developed by Mike Barone and Andy Angrick. Last month a Remote Code Execution vulnerability was found in their csSearch product, further research and information provided by the Vendor has revealed that four (4) additional scripts have the same vulnerability. These scripts are: csGuestBook - guestbook program csLiveSupport - web based support/chat program csNewsPro - website news updater/editor csChatRBox - web based chat script These scripts stores their configuration data as perl code in a file called "setup.cgi" which is eval()uated by the script to load it back into memory at runtime. Due to an Access Validation Error, any user can cause configuration data to be written to "setup.cgi" and therefore execute arbitrary perl code on the server. EXPLOIT: --------------------------------------------------------------------- Configuration data is (typically) saved with the following URL. scriptname.cgi?command=savesetup&setup=PERL_CODE_HERE Note that any perl code would need to be URL encoded. A malicious user could essentially execute any arbitrary perl code or shell commands. Only csChatRBox was tested for this vulnerability, however, Vendor stated the other scripts were also affected. SysAdmins wanting to scan for affected scripts should check for the following filenames: "csGuestbook.cgi", "csLiveSupport.cgi", "csNews.cgi", "csChatRBox.cgi". IMPACT: --------------------------------------------------------------------- Because of the high number of users who are using CGIscript.net scripts (over 17,000 csSearch users alone according to the website) and the fact that search engines can easily be used to identify sites with the unique "csScriptName.cgi" script names, the risk posed by these flaws is very high indeed. Additionally, because the Vendor does not post version numbers or changlogs (that we could find) on their website or with their software, and because the patched version of csChatRBox has the same version number of the vulnerable version (1.0), it may make it more difficult for users to determine whether or not their script is vulnerable or not. VENDOR RESPONSE --------------------------------------------------------------------- Vendor has released updated versions of all the affected scripts to patch the flaws. Vendor was notified of the problem with csChatRBox on Mar 28th. At that time they stated that they were already aware that the problem and that 4 more scripts (besides csSearch) were affected .. csGuestbook, csLiveSupport, csChatRBox, and csNewsPro. Vendor posted a notice on their site about the csChatRBox script but stated that because they were contacting each customer individually for the purchased scripts they did not feel a web site posting was warranted. VENDOR HISTORY: --------------------------------------------------------------------- March 25, 2002 - csSearch.cgi - Remote Code Execution http://online.securityfocus.com/archive/1/264169 DISCLAIMER --------------------------------------------------------------------- The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. FEEDBACK: --------------------------------------------------------------------- If anyone has any other CGIscript.net scripts they'd like me to take a look at, just drop me a line at stegus1@yahoo.com. __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ (8260984) /Steve Gustin <stegus1@yahoo.com>/--------